Bug#909802: poppler: CVE-2018-16646 denial-of-service via crafted file

Moritz Mühlenhoff jmm at inutil.org
Tue Nov 6 16:14:35 GMT 2018


On Fri, Sep 28, 2018 at 08:32:25PM +0200, Markus Koschany wrote:
> Package: poppler
> X-Debbugs-CC: team at security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for poppler.
> 
> CVE-2018-16646[0]:
> | In Poppler 0.68.0, the Parser::getObj() function in Parser.cc may cause
> | infinite recursion via a crafted file. A remote attacker can leverage
> | this for a DoS attack.

For jessie the wrong patches got applied. They are based on MR 67, which
didn't get merged in favour of the patch from MR 91.

On a more general notice: This bug has virtually no security impact, it's
hard too see why this change was made for an LTS release to begin with,
but at least wait until it's applied/fixed in unstable before backporting.

Cheers,
        Moritz



More information about the Pkg-freedesktop-maintainers mailing list